Re: Username existence disclosure from Agent

Mon, 08 May 2017 01:32:02 -0700 

SNMP v3 UserName is send in clear text in each SNMPv3 PDU, also for Auth
and AuthPriv.

You could obtain it by sniffing packages, without any SNMP query (you could
check it using WireShark or something similar).

Your change is pointless.

2017-05-08 8:04 GMT+02:00 Ulrich Windl <ulrich.wi...@rz.uni-regensburg.de>:

> >>> Madhusudhana R <madhusudhan...@in.abb.com> schrieb am 05.05.2017 um
> 11:16 in
> Nachricht
> <DB4PR06MB41239E1A802B6A266FFCB8AB0EB0@DB4PR06MB412.
> eurprd06.prod.outlook.com>:
> > Hi Coders,
> >
> > Regarding a security related finding...
> >
> > When incorrect username is provided from manager (ManageEngine tool), the
> > manager throws "Discovery failed for username" which could be used by an
> > attacker to know whether user exists or not.
> >
> > I did a workaround and came up with fix.
> >
> > Please let me know if this fix is appropriate or not.
> >
> > In file snmpusm.c, in function usm_process_in_msg() and below code
> snippet,
> > I changed the return value from SNMPERR_USM_UNKNOWNSECURITYNAME to
> > SNMPERR_USM_GENERICERROR
> > with which the error in Manager changed to "Timesync failure" for
> incorrect
> > username.
>
> IMHO. The gain of guessing a user name is not a significant problem as the
> password is what really protects the account. In any case an error like
> "Timesync failure" for a bad user name is cleasrly to be rejected.
>
> Ulrich
>
>
> >
> >     /*
> >      * Locate the User record.
> >      * If the user/engine ID is unknown, report this as an error.
> >      */
> >     if ((user = usm_get_user_from_list(secEngineID, *secEngineIDLen,
> >                                        secName, userList,
> >                                        (((sess && sess->isAuthoritative
> ==
> >                                           SNMP_SESS_AUTHORITATIVE) ||
> >                                          (!sess)) ? 0 : 1)))
> >         == NULL) {
> >         DEBUGMSGTL(("usm", "Unknown User(%s)\n", secName));
> >         snmp_increment_statistic(STAT_USMSTATSUNKNOWNUSERNAMES);
> >              return SNMPERR_USM_GENERICERROR;
> >     }
> >
> > Thanks & Regards,
> > Madhu
>
>
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Net-snmp-coders mailing list
> Net-snmp-coders@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>



-- 
Łukasz Wrzesiński

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Reply via email to